Ontario home healthcare provider hacked, attacker wants money ‘for telling them how to fix their security’

The attacker would like to portray itself as providing a service, but ransom and blackmail are better words.

CBC News says a person or persons is demanding a payment from CarePartners, an Ontario home care provider, after apparently stealing thousands of detailed digital patient medical records.

“We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online,” CBC says an attacker told it.

To show it actually has data the attacker sent some files to the CBC, which says they include phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province. It also included employee data. The attackers claimed the sample was a part of  hundreds of thousands of patient records and related materials they have going back to 2010.

CarePartners issued a press release June 18 saying it “has become the victim of a cyber-attack by sophisticated actors.” Patients and staff have been notified.

Later someone claiming to be an attacker contacted the CBC. The attackers said that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed.”

“This data breach affects hundreds of thousands of Canadians and was completely avoidable,” the group told CBC News. “None of the data we have was encrypted.”

Waterloo, Ont. police and the Ontario privacy commissioner are investigating.

The incident is another example of how any organization of any size that holds personal health data can be a target for data thieves and ransom. This data has to be protected with sophisticated  methods. Among other things that could include network segmentation, encryption and multi-factor authentication for those allowed access to that data.

CBC News points out that under Ontario’s Personal Health Information Protection Act, health-care providers are required to “take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information” and ensure that health records are retained securely.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now